Malware Analysis Report

2024-08-06 09:34

Sample ID 231125-dnk6gsgb66
Target ryuk.bin.zip
SHA256 db670caff58f0802a99720ba76d29940eb62174bb3a884cd9a14432666eab7bf
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db670caff58f0802a99720ba76d29940eb62174bb3a884cd9a14432666eab7bf

Threat Level: Known bad

The file ryuk.bin.zip was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-25 03:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-25 03:09

Reported

2023-11-25 03:12

Platform

win10v2004-20231023-en

Max time kernel

152s

Max time network

150s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\users\Public\HrGdb.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\HrGdb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\HrGdb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\HrGdb.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\cacerts C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.rll C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\accessibility.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{B65F59C5-4EDF-42E0-8050-C660401E40AF} C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\HrGdb.exe N/A
N/A N/A C:\users\Public\HrGdb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\HrGdb.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HrGdb.exe
PID 2604 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HrGdb.exe
PID 1396 wrote to memory of 2584 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 2584 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 2692 N/A C:\users\Public\HrGdb.exe C:\Windows\system32\sihost.exe
PID 1396 wrote to memory of 2808 N/A C:\users\Public\HrGdb.exe C:\Windows\system32\svchost.exe
PID 2584 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2584 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1396 wrote to memory of 2848 N/A C:\users\Public\HrGdb.exe C:\Windows\system32\taskhostw.exe
PID 1396 wrote to memory of 3436 N/A C:\users\Public\HrGdb.exe C:\Windows\system32\svchost.exe
PID 1396 wrote to memory of 3688 N/A C:\users\Public\HrGdb.exe C:\Windows\system32\DllHost.exe
PID 1396 wrote to memory of 3780 N/A C:\users\Public\HrGdb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1396 wrote to memory of 3840 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1396 wrote to memory of 3936 N/A C:\users\Public\HrGdb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1396 wrote to memory of 3468 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1396 wrote to memory of 4428 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1396 wrote to memory of 2876 N/A C:\users\Public\HrGdb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1396 wrote to memory of 4856 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1396 wrote to memory of 1844 N/A C:\users\Public\HrGdb.exe C:\Windows\System32\RuntimeBroker.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\users\Public\HrGdb.exe

"C:\users\Public\HrGdb.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HrGdb.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HrGdb.exe" /f

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Public\HrGdb.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\Users\Public\HrGdb.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\users\Public\HrGdb.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/2692-8-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-9-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-23-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

F:\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

memory/2692-32-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-34-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-36-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-42-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-46-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-48-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-50-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-43-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-54-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-53-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-56-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-61-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-58-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-66-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-64-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-71-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-70-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-73-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-77-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-82-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-85-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-88-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-91-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-94-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-80-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-95-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-97-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-101-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-76-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-104-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-107-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-110-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-113-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2692-105-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/2876-222-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

memory/3780-218-0x00007FF605530000-0x00007FF6058BE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-25 03:09

Reported

2023-11-25 03:11

Platform

win7-20231023-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\FaiDx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\FaiDx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\FaiDx.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\ExpandSwitch.jpeg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\FaiDx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\FaiDx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\FaiDx.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\FaiDx.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\FaiDx.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\FaiDx.exe
PID 2772 wrote to memory of 2640 N/A C:\users\Public\FaiDx.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 2640 N/A C:\users\Public\FaiDx.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 2640 N/A C:\users\Public\FaiDx.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 1116 N/A C:\users\Public\FaiDx.exe C:\Windows\system32\taskhost.exe
PID 2640 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2640 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2640 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2772 wrote to memory of 1184 N/A C:\users\Public\FaiDx.exe C:\Windows\system32\Dwm.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\users\Public\FaiDx.exe

"C:\users\Public\FaiDx.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\FaiDx.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\FaiDx.exe" /f

Network

N/A

Files

\Users\Public\FaiDx.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\Users\Public\FaiDx.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1116-5-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-7-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-8-0x000000013FA00000-0x000000013FD8E000-memory.dmp

C:\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

memory/1116-22-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-23-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-24-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-26-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-29-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-31-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-33-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-35-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-40-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-41-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-43-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-47-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-49-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-51-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-53-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-62-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-58-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-65-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-66-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-69-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-68-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-71-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-76-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-78-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-81-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-83-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-90-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-95-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-94-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-97-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-105-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-102-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-108-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-111-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-113-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-118-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1116-1163-0x000000013FA00000-0x000000013FD8E000-memory.dmp

memory/1184-1355-0x000000013FA00000-0x000000013FD8E000-memory.dmp